diff --git a/app/models/ability.rb b/app/models/ability.rb
index 513a6af..416474c 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -9,7 +9,9 @@ class Ability
     if user.admin?
       can :manage, :all
     elsif user.koelkast?
-      can :manage, Order
+      can :manage, Order do |order|
+        !order.try(:user).try(:private)
+      end
       can :quickpay, User
     else
       can :read, :all
diff --git a/spec/models/ability_spec.rb b/spec/models/ability_spec.rb
index 67473a6..c480786 100644
--- a/spec/models/ability_spec.rb
+++ b/spec/models/ability_spec.rb
@@ -5,37 +5,44 @@ describe User do
     subject(:ability){ Ability.new(user) }
     let(:user) { nil}
 
+    # Admin
     describe 'as admin' do
       let(:user) { create :admin }
 
-      it{ should be_able_to(:manage, Product.new) }
       it{ should be_able_to(:manage, Order.new) }
+      it{ should be_able_to(:manage, OrderItem.new) }
+      it{ should be_able_to(:manage, Product.new) }
       it{ should be_able_to(:manage, Stock.new) }
       it{ should be_able_to(:manage, User.new) }
     end
 
+    # Normal User
     describe 'as normal user' do
       let(:user) { create :user }
 
-      it{ should be_able_to(:read, Product.new) }
-      it{ should_not be_able_to(:manage, Product.new) }
-
       it{ should be_able_to(:create, Order.new(user: user)) }
       it{ should be_able_to(:delete, Order.new(user: user, created_at: (Rails.application.config.call_api_after - 1.minutes).ago)) }
       it{ should_not be_able_to(:delete, Order.new(user: user, created_at: 10.minutes.ago)) }
-      it{ should_not be_able_to(:manage, Order.new) }
+      it{ should_not be_able_to(:create, Order.new) }
+      it{ should_not be_able_to(:update, Order.new) }
 
-      it{ should_not be_able_to(:manage, Stock.new) }
+      it{ should be_able_to(:read, Product.new) }
+      it{ should_not be_able_to(:delete, Product.new) }
+      it{ should_not be_able_to(:update, Product.new) }
+
+      it{ should_not be_able_to(:create, Stock.new) }
 
       it{ should be_able_to(:manage, user) }
-      it{ should_not be_able_to(:manage, User.new) }
+      it{ should_not be_able_to(:create, User.new) }
+      it{ should_not be_able_to(:update, User.new) }
     end
 
     describe 'as koelkast' do
       let(:user) { create :koelkast }
 
       it{ should_not be_able_to(:manage, Product.new) }
-      it{ should be_able_to(:manage, Order.new) }
+      it{ should be_able_to(:manage, Order.new, user: create(:user)) }
+      it{ should_not be_able_to(:create, build(:order, user: create(:user, private: true))) }
       it{ should_not be_able_to(:manage, Stock.new) }
       it{ should_not be_able_to(:manage, User.new) }
     end